MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b
SHA3-384 hash: 0e2315d06b94404f2ec4e661ff1b895cdf40827e4657b7ce6a9eb1863c52a9bc039ac98d210b68017c45afbd50652df5
SHA1 hash: fd07f64d2f0a88149822b8652c797ff0deebef38
MD5 hash: 38db5a46a3e1e749720122b74d2ffd24
humanhash: golf-speaker-hydrogen-burger
File name:38db5a46a3e1e749720122b74d2ffd24.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:609'280 bytes
First seen:2022-03-29 07:31:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6177777cd67f32c7dfaa28c6d6e9d36d (3 x RedLineStealer, 1 x RaccoonStealer)
ssdeep 12288:g4K7app/tHPgBAqzAg9MwQS03ULaHNqrxlKIQNoiMHWkSrYPiATSvs1:XRvHqzAxwkEaHNYK3V30itQ
Threatray 1'999 similar samples on MalwareBazaar
TLSH T101D433D029C27D81E59A06B2073FF90F05F6A496CA1DB48DD29DEF4B3EB403AD41C4A5
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b.exe
Verdict:
Malicious activity
Analysis date:
2022-03-29 18:08:08 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/3de8115f-1bfd-4a1e-97eb-b8e62bf0d0eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259023/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6242b5f7a19c649412a483a2/reports/86c7531b-c121-4e5a-97c2-d6d2d88d75da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51cb0081-03a5-4cca-af5e-073e58fcb1d1
Result
Threat name:
Quasar RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966525
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Quasar RAT
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 598949 Sample: OFgZPimwMy.exe Startdate: 29/03/2022 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 8 other signatures 2->59 10 OFgZPimwMy.exe 1 2->10         started        13 svhost.exe 2 2->13         started        process3 signatures4 69 Writes to foreign memory regions 10->69 71 Allocates memory in foreign processes 10->71 73 Injects a PE file into a foreign processes 10->73 15 AppLaunch.exe 15 7 10->15         started        20 conhost.exe 10->20         started        75 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->75 process5 dnsIp6 41 185.215.113.62, 30787, 49772 WHOLESALECONNECTIONSNL Portugal 15->41 43 123save.site 37.140.192.158, 49779, 80 AS-REGRU Russian Federation 15->43 37 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 15->37 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->47 49 Tries to harvest and steal browser information (history, passwords, etc) 15->49 51 Tries to steal Crypto Currency Wallets 15->51 22 svhost.exe 5 15->22         started        file7 signatures8 process9 file10 39 C:\Users\user\AppData\Roaming\...\svhost.exe, PE32 22->39 dropped 61 Antivirus detection for dropped file 22->61 63 Multi AV Scanner detection for dropped file 22->63 65 Detected unpacking (overwrites its own PE header) 22->65 67 3 other signatures 22->67 26 svhost.exe 2 22->26         started        29 schtasks.exe 1 22->29         started        signatures11 process12 signatures13 77 Antivirus detection for dropped file 26->77 79 Multi AV Scanner detection for dropped file 26->79 81 Detected unpacking (overwrites its own PE header) 26->81 83 2 other signatures 26->83 31 schtasks.exe 1 26->31         started        33 conhost.exe 29->33         started        process14 process15 35 conhost.exe 31->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 20:36:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
018f2af002d120d8f1008f4050a4f25762812a8e24f9cf8c506eff6009546dc8
RedLineStealer
1a2dd18cee343e86e992f506a4ce0f95568eb4e2bba8696ff9a810664cf7dd10
RedLineStealer
1ef31bf987a083644001df09ef84617b8ae4784a945558d813510a38688d2962
RedLineStealer
4a07a70731fe916d377888b49ac5bb01dac3f32a48a6311cd8fd616d9082cfa1
RedLineStealer
5b54867f600777e8cec30c3386a3d42f08da4e1a3a4e636f135e25e2d9850603
RedLineStealer
7605a5d355941ddf465272bd31583c254584b65b230c0fe7a93b8f887c5af3aa
RedLineStealer
7d124975437e9e3d3aab4a9fcb067532ad6cd8da6c99fa6a183f3343dc33f06a
RedLineStealer
aed0d35fe387f68070bb711b510c723876208a4adf77a8d8613252943967dd14
RedLineStealer
b38fb291fd59ee1e6886120513beb35fa6aae5f5b1ac77c0f1c8746458d49d2c
RedLineStealer
+ 1'989 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:mynewbuild infostealer spyware
Link:
https://tria.ge/reports/220329-jcy6vscgb5/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.62:30787
Unpacked files
SH256 hash:
4e004a01e1448e125fcd11de8e01225049b3b7c3885c9d728ba6f19203ebcd70
MD5 hash:
e558ed577e28e6f93926e8b461441e28
SHA1 hash:
e99b4399ced1d653a3666becf6629a61e2476854
Link:
https://www.unpac.me/results/b5554acb-5c58-4d49-bb25-724ed804db18/
SH256 hash:
37fb5206ce2234671cc76aae9bb853001edc5bc4ed3f2256d22f67617d5e4e78
MD5 hash:
4243a429e684873b79413589561b0c6c
SHA1 hash:
e8af54ab915528443b14502b5e2b6f6c039687af
Link:
https://www.unpac.me/results/b5554acb-5c58-4d49-bb25-724ed804db18/
SH256 hash:
94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b
MD5 hash:
38db5a46a3e1e749720122b74d2ffd24
SHA1 hash:
fd07f64d2f0a88149822b8652c797ff0deebef38
Link:
https://www.unpac.me/results/b5554acb-5c58-4d49-bb25-724ed804db18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 94b0f090b6eea3eab0c799239b5a3be63245a4372272b06461b1e155c9b9535b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1828051/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/259023/

Comments